Microsoft Identity Integration Server & Role

Base AccessTheo KostelijkConsultantMicrosoft BVtheok@microsoft.com

Agenda• Microsoft Identity Integration Server

Concepts & Architecture (MIIS)• Authorization Manager (AzMan)

What is Microsoft Identity Integration Server?

• Directory Synchronization

• Password Management

• Provisioning and Workflow

Identity DataIdentity Data

LDAPLDAP SQLSQL

NOSNOS

Mainframe/Mainframe/UnixUnix

MIISMIIS

Connectivity in MIIS 2003, Enterprise Edition• Active Directory• Active Directory Application Mode• Active Directory Global Address List (GAL)• Attribute-value pair text file• Delimited text file• Directory Service Markup Language (DSML) 2.0• Exchange Server 5.5• Exchange Server 5.5 (Bridgehead Server)• Extensible Connectivity• Fixed-width text file• IBM DB2 Universal Database• IBM Directory Server• LDAP Data Interchange Format (LDIF)• Lotus Notes• Novell eDirectory 8.6.2 and 8.7• Oracle Database 8i and 9i• SQL Server 7.0 and 2000• Sun and Netscape Directory Servers• Windows NT 4.0

Exchange 5.5Exchange 5.5

Directory Synchronization• Synchronizes multiple repositories• Management agents use

“touchless” connection to other systems

• Provides attribute-level control• Manage global address lists (GAL)• Automate group and DL

management

Active DirectoryActive Directory

NotesNotes

SunSunOneOne

SQLSQL

OracleOracle

MIISMIIS

Directory SynchronisationHRHRSystemSystem

MIIS

LotusLotusNotesNotes

ActiveActiveDirectoryDirectory

APIAPI

APIAPI

LDAPLDAP

LDAPLDAP

DBDB

DBDB

Attribute Flow

Password Management

• Initial password set when provisioning

• Centralized password control via a Web app & ctr-alt-del– Self-service password change– Helpdesk password reset

Active DirectoryActive Directory

Sun OneSun One

Web app &Web app &CTRL-ALT-DELCTRL-ALT-DEL

MIISMIIS

Provisioning & Workflow• Simple Provisioning & De-provisioning

– Provision users as they appear in authoritative systems

– Set initial values for attributes (including password)

– Disable or delete accounts• Complex Workflow

– Initiate workflow or provisioning system– Integrate with BizTalk– Integrate with 3rd party provisioning

systems

Provisioning Scenario

HRHRSystemSystem

MIIS

iPlanetiPlanetDirectoryDirectory

ActiveActiveDirectoryDirectory

DB

LDAP

LDAP

De-Provisioning Scenario

HRHRSystemSystem

MIIS

iPlanetiPlanetDirectoryDirectory

ActiveActiveDirectoryDirectory

DB

LDAP

LDAP

MIIS Architecture

HR AppHR Appwith SQLwith SQL

ActiveActiveDirectoryDirectory

LotusLotusNotesNotes

Metaverse

Connector Space

Metaverse ObjectConnector

Connector Space Object

Authorization ManagerAzMan Advantages

• Centralized authorization policy for multiple applications• The ability to create security groups outside of Active

Directory and managed by the application administrator• The ability to create groups based on the result of an

LDAP query• Relies on a Policy Store for one or more apps

– Delegated Admin (AD & ADAM only)– XML Store – not recommended for Enterprise Apps– Authorized users “Must” have an actual account on the web

server or user account in AD or ADAM

Introduced in Windows Server 2003 – Also available for Windows Server 2000Introduced in Windows Server 2003 – Also available for Windows Server 2000

Authorization ManagerAdvantages

• 3 Key Mechanisms for user Role Assignments:– Membership in AD or Local Server, or AzMan Groups– LDAP Query Groups– BizRules

• Centrally Managed across the organization without managing Web.config files or changing application code

Web ExpenseApplication

Role={Tasks}, Task={Operations}

DatabaseOperation

WebOperation

DirectoryOperation

PaymentSystem

Operation

AdministratorApproverSubmitter

ChangeApprover

ApproveDeny

Payment

ApproveReject

Report

SubmitReport

CancelReport

CheckStatus

AzMan Groups

AzMan Operation Defenitions

AzMan Task Definitions

How to use AzMan in your code?

MIIS & AzMan (HRApp naar MIIS)

MIIS & AzMan (MIIS Naar AD)

MIIS & AzMan (AzMan & AD)